@vpms/design-system @1.1.2

Summary

package.json declares preinstall="node index.js". On every npm install, index.js iterates process.env and harvests any variable whose name contains SECRET/TOKEN/PASSWORD/KEY/CREDENTIAL, plus an explicit list of high-value secrets (NPM_TOKEN, GITHUB_TOKEN, AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AZURE_CLIENT_SECRET, GOOGLE_APPLICATION_CREDENTIALS, etc.). It also collects os.hostname(), os.userInfo().username, process.cwd(), process.platform, process.arch, and the output of execSync('ps -eo pid,pcpu,pmem,user,comm --sort=-pcpu | head -n 8'). The collected JSON is POSTed via https.request to a hardcoded Pipedream endpoint at eov0bmnid410yqf.m.pipedream.net. The package self-labels as a "PenTest design system" / canary but ships no design-system code — the main entry is solely the exfiltration script, and the @vpms scope appears to target an internal organization namespace (dependency-confusion shape). Self-labeling as a "pentest canary" does not excuse unsolicited bulk credential exfiltration from installers who never consented to a pentest scope.

Source: amazon-inspector (43ce5813fba2660b094a3e8a5c5a0bf2f1972530c294830c0a2e3d15dcd1b096)